/*     */ package com.zimbra.cs.service.admin;
/*     */ 
/*     */ import com.zimbra.common.account.Key.AccountBy;
/*     */ import com.zimbra.common.account.Key.DomainBy;
/*     */ import com.zimbra.common.service.ServiceException;
/*     */ import com.zimbra.common.soap.AdminConstants;
/*     */ import com.zimbra.common.soap.Element;
/*     */ import com.zimbra.common.soap.Element.Disposition;
/*     */ import com.zimbra.common.util.Log;
/*     */ import com.zimbra.common.util.ZimbraCookie;
/*     */ import com.zimbra.common.util.ZimbraLog;
/*     */ import com.zimbra.cs.account.Account;
/*     */ import com.zimbra.cs.account.AccountServiceException.AuthFailedServiceException;
/*     */ import com.zimbra.cs.account.AuthToken;
/*     */ import com.zimbra.cs.account.AuthTokenException;
/*     */ import com.zimbra.cs.account.Domain;
/*     */ import com.zimbra.cs.account.Provisioning;
/*     */ import com.zimbra.cs.account.accesscontrol.AdminRight;
/*     */ import com.zimbra.cs.account.auth.AuthContext.Protocol;
/*     */ import com.zimbra.cs.account.auth.AuthMechanism.AuthMech;
/*     */ import com.zimbra.cs.service.AuthProvider;
/*     */ import com.zimbra.cs.servlet.util.CsrfUtil;
/*     */ import com.zimbra.cs.session.Session;
/*     */ import com.zimbra.cs.util.AccountUtil;
/*     */ import com.zimbra.soap.ZimbraSoapContext;
/*     */ import java.util.HashMap;
/*     */ import java.util.List;
/*     */ import java.util.Map;
/*     */ import javax.servlet.ServletRequest;
/*     */ import javax.servlet.http.HttpServletRequest;
/*     */ import javax.servlet.http.HttpServletResponse;
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ public class Auth
/*     */   extends AdminDocumentHandler
/*     */ {
/*     */   public Element handle(Element request, Map<String, Object> context)
/*     */     throws ServiceException
/*     */   {
/*  64 */     ZimbraSoapContext zsc = getZimbraSoapContext(context);
/*  65 */     AuthToken at = null;
/*  66 */     Account acct = null;
/*     */     
/*  68 */     Provisioning prov = Provisioning.getInstance();
/*  69 */     boolean csrfSupport = request.getAttributeBool("csrfTokenSecured", false);
/*  70 */     String name = request.getAttribute("name", null);
/*  71 */     Element acctEl = request.getOptionalElement("account");
/*     */     
/*     */ 
/*  74 */     if ((name == null) && (acctEl == null))
/*     */     {
/*  76 */       at = zsc.getAuthToken();
/*  77 */       if (at == null)
/*     */       {
/*  79 */         Element authTokenEl = request.getOptionalElement("authToken");
/*  80 */         if (authTokenEl != null) {
/*     */           try {
/*  82 */             at = AuthProvider.getAuthToken(request, new HashMap());
/*     */           } catch (AuthTokenException e) {
/*  84 */             throw ServiceException.AUTH_REQUIRED();
/*     */           }
/*     */         }
/*     */       }
/*     */       
/*  89 */       if (at == null)
/*     */       {
/*  91 */         throw ServiceException.AUTH_REQUIRED();
/*     */       }
/*  93 */       com.zimbra.cs.service.account.Auth.addAccountToLogContextByAuthToken(prov, at);
/*     */       
/*  95 */       if (at.isExpired()) {
/*  96 */         throw ServiceException.AUTH_EXPIRED();
/*     */       }
/*  98 */       if (!at.isRegistered()) {
/*  99 */         throw ServiceException.AUTH_EXPIRED("authtoken is invalid");
/*     */       }
/*     */       
/* 102 */       acct = prov.get(Key.AccountBy.id, at.getAccountId(), at);
/* 103 */       if ((acct == null) || (!acct.getAccountStatus(prov).equals("active"))) {
/* 104 */         throw ServiceException.AUTH_EXPIRED();
/*     */       }
/*     */       
/* 107 */       checkAdmin(acct);
/*     */ 
/*     */ 
/*     */ 
/*     */     }
/*     */     else
/*     */     {
/*     */ 
/*     */ 
/* 116 */       if ((name != null) && (acctEl != null))
/* 117 */         throw ServiceException.INVALID_REQUEST("only one of <name> or <account> can be specified", null);
/* 118 */       if ((name == null) && (acctEl == null)) {
/* 119 */         throw ServiceException.INVALID_REQUEST("missing <name> or <account>", null);
/*     */       }
/* 121 */       String password = request.getAttribute("password");
/* 122 */       Element virtualHostEl = request.getOptionalElement("virtualHost");
/* 123 */       String virtualHost = virtualHostEl == null ? null : virtualHostEl.getText().toLowerCase();
/*     */       
/*     */       Key.AccountBy by;
/*     */       String valuePassedIn;
/*     */       Key.AccountBy by;
/* 128 */       if (name != null) {
/* 129 */         String valuePassedIn = name;
/* 130 */         by = Key.AccountBy.name;
/*     */       } else {
/* 132 */         valuePassedIn = acctEl.getText();
/* 133 */         String byStr = acctEl.getAttribute("by", Key.AccountBy.name.name());
/* 134 */         by = Key.AccountBy.fromString(byStr);
/*     */       }
/* 136 */       String value = valuePassedIn;
/*     */       
/*     */       try
/*     */       {
/* 140 */         if ((by == Key.AccountBy.name) && (value.indexOf("@") == -1))
/*     */         {
/*     */ 
/* 143 */           acct = prov.get(Key.AccountBy.adminName, value, zsc.getAuthToken());
/*     */           
/*     */ 
/* 146 */           if ((acct == null) && 
/* 147 */             (virtualHost != null)) {
/* 148 */             Domain d = prov.get(Key.DomainBy.virtualHostname, virtualHost);
/* 149 */             if (d != null) {
/* 150 */               value = value + "@" + d.getName();
/*     */             }
/*     */           }
/*     */         }
/*     */         
/* 155 */         if (acct == null) {
/* 156 */           acct = prov.get(by, value);
/*     */         }
/* 158 */         if (acct == null) {
/* 159 */           throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(value, valuePassedIn, "account not found");
/*     */         }
/* 161 */         AccountUtil.addAccountToLogContext(prov, acct.getId(), "name", "id", null);
/*     */         
/* 163 */         ZimbraLog.security.info(ZimbraLog.encodeAttrs(new String[] { "cmd", "AdminAuth", "account", value }));
/*     */         
/*     */ 
/* 166 */         Map<String, Object> authCtxt = new HashMap();
/* 167 */         authCtxt.put("ocip", context.get("orig.request.ip"));
/* 168 */         authCtxt.put("remoteip", context.get("soap.request.ip"));
/* 169 */         authCtxt.put("anp", valuePassedIn);
/* 170 */         authCtxt.put("ua", zsc.getUserAgent());
/* 171 */         authCtxt.put("asAdmin", Boolean.TRUE);
/* 172 */         prov.authAccount(acct, password, AuthContext.Protocol.soap, authCtxt);
/* 173 */         checkAdmin(acct);
/* 174 */         AuthMechanism.AuthMech authedByMech = (AuthMechanism.AuthMech)authCtxt.get("authedByMech");
/* 175 */         at = AuthProvider.getAuthToken(acct, true, authedByMech);
/*     */       } catch (ServiceException se) {
/* 177 */         ZimbraLog.security.warn(ZimbraLog.encodeAttrs(new String[] { "cmd", "AdminAuth", "account", value, "error", se.getMessage() }));
/*     */         
/* 179 */         throw se;
/*     */       }
/*     */     }
/* 182 */     if (at != null) {
/* 183 */       at.setCsrfTokenEnabled(csrfSupport);
/*     */     }
/* 185 */     ServletRequest httpReq = (ServletRequest)context.get("servlet.request");
/* 186 */     httpReq.setAttribute("AuthToken", at);
/* 187 */     return doResponse(request, at, zsc, context, acct, csrfSupport);
/*     */   }
/*     */   
/*     */   private void checkAdmin(Account acct) throws ServiceException {
/* 191 */     boolean isDomainAdmin = acct.getBooleanAttr("zimbraIsDomainAdminAccount", false);
/* 192 */     boolean isAdmin = acct.getBooleanAttr("zimbraIsAdminAccount", false);
/* 193 */     boolean isDelegatedAdmin = acct.getBooleanAttr("zimbraIsDelegatedAdminAccount", false);
/* 194 */     boolean ok = (isDomainAdmin) || (isAdmin) || (isDelegatedAdmin);
/* 195 */     if (!ok) {
/* 196 */       throw ServiceException.PERM_DENIED("not an admin account");
/*     */     }
/*     */   }
/*     */   
/*     */   private Element doResponse(Element request, AuthToken at, ZimbraSoapContext zsc, Map<String, Object> context, Account acct, boolean csrfSupport) throws ServiceException {
/* 201 */     Element response = zsc.createElement(AdminConstants.AUTH_RESPONSE);
/* 202 */     at.encodeAuthResp(response, true);
/*     */     
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/* 208 */     HttpServletRequest httpReq = (HttpServletRequest)context.get("servlet.request");
/* 209 */     HttpServletResponse httpResp = (HttpServletResponse)context.get("servlet.response");
/* 210 */     boolean rememberMe = request.getAttributeBool("persistAuthTokenCookie", false);
/* 211 */     at.encode(httpResp, true, ZimbraCookie.secureCookie(httpReq), rememberMe);
/*     */     
/* 213 */     response.addAttribute("lifetime", at.getExpires() - System.currentTimeMillis(), Element.Disposition.CONTENT);
/*     */     
/* 215 */     Session session = updateAuthenticatedAccount(zsc, at, context, true);
/* 216 */     if (session != null) {
/* 217 */       ZimbraSoapContext.encodeSession(response, session.getSessionId(), session.getSessionType());
/*     */     }
/*     */     
/* 220 */     boolean csrfCheckEnabled = false;
/* 221 */     if (httpReq.getAttribute("zimbraCsrfTokenCheckEnabled") != null) {
/* 222 */       csrfCheckEnabled = ((Boolean)httpReq.getAttribute("zimbraCsrfTokenCheckEnabled")).booleanValue();
/*     */     }
/* 224 */     if ((csrfSupport) && (csrfCheckEnabled)) {
/* 225 */       String accountId = at.getAccountId();
/* 226 */       long authTokenExpiration = at.getExpires();
/* 227 */       int tokenSalt = ((Integer)httpReq.getAttribute("CSRF_SALT")).intValue();
/* 228 */       String token = CsrfUtil.generateCsrfToken(accountId, authTokenExpiration, tokenSalt, at);
/*     */       
/* 230 */       Element csrfResponse = response.addUniqueElement("csrfToken");
/* 231 */       csrfResponse.addText(token);
/* 232 */       httpResp.setHeader("X-Zimbra-Csrf-Token", token);
/*     */     }
/* 234 */     return response;
/*     */   }
/*     */   
/*     */ 
/*     */   public boolean needsAuth(Map<String, Object> context)
/*     */   {
/* 240 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */   public boolean needsAdminAuth(Map<String, Object> context)
/*     */   {
/* 246 */     return false;
/*     */   }
/*     */   
/*     */   public void docRights(List<AdminRight> relatedRights, List<String> notes)
/*     */   {
/* 251 */     notes.add("Do not need any right, all admins are allowed.");
/*     */   }
/*     */ }


/* Location:              /home/mint/zimbrastore.jar!/com/zimbra/cs/service/admin/Auth.class
 * Java compiler version: 7 (51.0)
 * JD-Core Version:       0.7.1
 */